Featured in
Architecture & Design

Mini-talks: The Machine Intelligence Landscape: A Venture Capital Perspective by David Beyer. The future of global, trustless transactions on the largest graph: blockchain by Olaf Carlson-Wee. Algorithms for Anti-Money Laundering by Richard Minerich.

Featured in
Operations & Infrastructure

Mini-talks: The Machine Intelligence Landscape: A Venture Capital Perspective by David Beyer. The future of global, trustless transactions on the largest graph: blockchain by Olaf Carlson-Wee. Algorithms for Anti-Money Laundering by Richard Minerich.

Featured in
Enterprise Architecture

Mini-talks: The Machine Intelligence Landscape: A Venture Capital Perspective by David Beyer. The future of global, trustless transactions on the largest graph: blockchain by Olaf Carlson-Wee. Algorithms for Anti-Money Laundering by Richard Minerich.

Researchers Highlight Recent Uptick in Java Security Exploits

Microsoft researcher Holly Stewart
pointed out this week on his blog that
Java has now passed Adobe Reader
as the most common target for malware. Mr. Stewart reports
that most Java security exploits seen "in the wild" are targeting issues that have had fixes available for some time.
In particular, three long-known issues with the Oracle JVM around
Calendar deserialization,
long file URLs,
and RMI connections represent an outsized portion
of attacks.

Security researcher Brian Krebs
hypothesizes on his blog
that these long-standing holes are seeing a surge of exploitation because
"exploit pack" makers have recently started including functionality specifically targeted at these issues. Exploit packs
are pre-configured pieces of software sold by hackers to criminal rings. Criminal rings then use the exploit packs
to take over computers that
visit tainted web sites. The most sophisticated exploit packs have professional-looking management and statistics
consoles that tell the buyer how successful they've been gaining access to computers. Mr. Krebs sites proportedly real-life
screenshots of these consoles as evidence that Java is a favorite target.

All of the three favorite Java security holes have been
fixed since at least March and one
was even fixed in April, 2009. But the report suggests that
many computers have not been patched with the fixes. A very large percentage of computers are running old versions of Java. Statistics site StatOwl
detected more than 10% of users have only Java version 1.4 or 1.5 installed,
both of which have
not been supported by Oracle for more than a year. Even on computers running version 1.6,
more than
half are not running a recent patch that addresses the worst vulnerabilities.

There may be a variety of reasons why computers have not been upgraded. Often, consumers do not know
that they are running Java at all, much less which version they have nor how to upgrade it. In the
enterprise, desktops are often required to keep older versions of Java to support in-house applications
that haven't been upgraded yet or to support vendor applications that have not been upgraded yet. For example, according to Oracle,
if 1.6 update 22 is applied: "The fix for CVE-2010-3560 could cause certain Java applets running in the new
Java Plug-in to stop working if they are embedded in web pages which contain JavaScript that calls into Java
in order to perform actions which require network security permissions." Even Oracle products
can have issues with
minor Java point releases so IT managers are likely to be cautious at all times. Likewise, legacy applications that
still run on Java 1.5 could be vulnerable because Oracle stopped support for 1.5 in November, 2009 and
will only issue patches to Java for Business subscribers.

This week, Oracle released
update 22 to JDK 1.6
that fixed 29 security issues, some of them major. Java developers often assume that their applications
are immune to security holes because of the sandbox that the JVM supplies. But under the bytecode,
the JVM implementation itself still has direct access to memory and is implemented in an un-sandboxed
language like C.